res_pjsip_pubsub: Prevent crashes on final NOTIFY.
authorMark Michelson <mmichelson@digium.com>
Mon, 28 Sep 2015 21:36:25 +0000 (16:36 -0500)
committerRichard Mudgett <rmudgett@digium.com>
Thu, 22 Oct 2015 21:18:08 +0000 (16:18 -0500)
The SIP dialog is removed from the subscription tree when the final
NOTIFY is sent. However, after the final NOTIFY is sent, the persistence
update function still attempts to access the cseq from the dialog,
resulting in a crash.

This fix removes the subscription persistence at the same time that the
dialog is removed from the subscription tree. This way, there is no
attempt to update persistence when the subscription is being destroyed.

Change-Id: Ibb46977a6cef9c51dc95f40f43446e3d11eed5bb

res/res_pjsip_pubsub.c

index 517b1ee..3b4c5d6 100644 (file)
@@ -598,6 +598,7 @@ static void subscription_persistence_remove(struct sip_subscription_tree *sub_tr
 
        ast_sorcery_delete(ast_sip_get_sorcery(), sub_tree->persistence);
        ao2_ref(sub_tree->persistence, -1);
+       sub_tree->persistence = NULL;
 }
 
 
@@ -1185,7 +1186,6 @@ static void subscription_tree_destructor(void *obj)
 
        remove_subscription(sub_tree);
 
-       subscription_persistence_remove(sub_tree);
        ao2_cleanup(sub_tree->endpoint);
 
        destroy_subscriptions(sub_tree->root);
@@ -3289,6 +3289,7 @@ static void pubsub_on_evsub_state(pjsip_evsub *evsub, pjsip_event *event)
        ast_sip_dialog_set_serializer(sub_tree->dlg, NULL);
        ast_sip_dialog_set_endpoint(sub_tree->dlg, NULL);
        sub_tree->dlg = NULL;
+       subscription_persistence_remove(sub_tree);
        shutdown_subscriptions(sub_tree->root);
 
        /* Remove evsub's reference to the sub_tree */